diff --git a/wufuc/core.c b/wufuc/core.c index dac3717..2ea7e65 100644 --- a/wufuc/core.c +++ b/wufuc/core.c @@ -52,7 +52,7 @@ DWORD WINAPI NewThreadProc(LPVOID lpParam) { WaitForSingleObject(hEvent, INFINITE); - _tdbgprintf(_T("Received wufuc_UnloadEvent, removing hooks.")); + _tdbgprintf(_T("Unload event was set, removing hooks.")); SuspendProcessThreads(dwProcessId, dwThreadId, lphThreads, _countof(lphThreads), &cb); RESTORE_IAT(hm, LoadLibraryExA); @@ -110,9 +110,11 @@ BOOL PatchWUModule(HMODULE hModule) { SIZE_T rva; if (!FindPattern(modinfo.lpBaseOfDll, modinfo.SizeOfImage, lpszPattern, 0, &rva)) { + _tdbgprintf(_T("Could not match byte pattern. Not good!")); return FALSE; } SIZE_T fpIsDeviceServiceable = (SIZE_T)modinfo.lpBaseOfDll + rva; + _tdbgprintf(_T("Matched pattern at %p"), fpIsDeviceServiceable); BOOL *lpbNotRunOnce = (BOOL *)(fpIsDeviceServiceable + n1 + sizeof(DWORD) + *(DWORD *)(fpIsDeviceServiceable + n1)); if (*lpbNotRunOnce) { @@ -121,7 +123,7 @@ BOOL PatchWUModule(HMODULE hModule) { VirtualProtect(lpbNotRunOnce, sizeof(BOOL), flNewProtect, &flOldProtect); *lpbNotRunOnce = FALSE; VirtualProtect(lpbNotRunOnce, sizeof(BOOL), flOldProtect, &flNewProtect); - _tdbgprintf(_T("Patched %p=%d"), lpbNotRunOnce, *lpbNotRunOnce); + _tdbgprintf(_T("Patched value at %p = %d"), lpbNotRunOnce, *lpbNotRunOnce); } BOOL *lpbCachedResult = (BOOL *)(fpIsDeviceServiceable + n2 + sizeof(DWORD) + *(DWORD *)(fpIsDeviceServiceable + n2)); @@ -131,7 +133,7 @@ BOOL PatchWUModule(HMODULE hModule) { VirtualProtect(lpbCachedResult, sizeof(BOOL), flNewProtect, &flOldProtect); *lpbCachedResult = TRUE; VirtualProtect(lpbCachedResult, sizeof(BOOL), flOldProtect, &flNewProtect); - _tdbgprintf(_T("Patched %p=%d"), lpbCachedResult, *lpbCachedResult); + _tdbgprintf(_T("Patched value at %p = %d"), lpbCachedResult, *lpbCachedResult); } return TRUE; } @@ -142,11 +144,13 @@ HMODULE WINAPI _LoadLibraryExA( _In_ DWORD dwFlags ) { HMODULE result = LoadLibraryExA(lpFileName, hFile, dwFlags); + _dbgprintf("Loaded library: %s.", lpFileName); CHAR path[MAX_PATH + 1]; get_svcdllA("wuauserv", path, _countof(path)); if (!_stricmp(lpFileName, path)) { + _dbgprintf("%s is wu module, applying patch...", lpFileName); PatchWUModule(result); } return result; @@ -158,11 +162,13 @@ HMODULE WINAPI _LoadLibraryExW( _In_ DWORD dwFlags ) { HMODULE result = LoadLibraryExW(lpFileName, hFile, dwFlags); + _wdbgprintf(L"Loaded library: %s.", lpFileName); WCHAR path[MAX_PATH + 1]; get_svcdllW(L"wuauserv", path, _countof(path)); if (!_wcsicmp(lpFileName, path)) { + _wdbgprintf(L"%s is wu module, applying patch...", lpFileName); PatchWUModule(result); } return result; diff --git a/wufuc/entrypoint.c b/wufuc/entrypoint.c index dc855bb..b55d860 100644 --- a/wufuc/entrypoint.c +++ b/wufuc/entrypoint.c @@ -24,14 +24,13 @@ void CALLBACK Rundll32Entry(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int n } TCHAR lpLibFileName[MAX_PATH + 1]; GetModuleFileName(HINST_THISCOMPONENT, lpLibFileName, _countof(lpLibFileName)); - InjectLibrary(dwProcessId, lpLibFileName, _countof(lpLibFileName)); } void CALLBACK Rundll32Unload(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) { HANDLE hEvent = OpenEvent(EVENT_MODIFY_STATE, FALSE, _T("Global\\wufuc_UnloadEvent")); if (hEvent) { - _tdbgprintf(_T("Setting wufuc_UnloadEvent...")); + _tdbgprintf(_T("Setting unload event...")); SetEvent(hEvent); CloseHandle(hEvent); } diff --git a/wufuc/service.c b/wufuc/service.c index 01f1d09..110e77f 100644 --- a/wufuc/service.c +++ b/wufuc/service.c @@ -5,24 +5,6 @@ #include "service.h" #include "shellapihelper.h" -BOOL get_svcpath(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpBinaryPathName, SIZE_T dwSize) { - HANDLE hService = OpenService(hSCManager, lpServiceName, SERVICE_QUERY_CONFIG); - if (!hService) { - return FALSE; - } - - DWORD cbBytesNeeded; - QueryServiceConfig(hService, NULL, 0, &cbBytesNeeded); - LPQUERY_SERVICE_CONFIG sc = malloc(cbBytesNeeded); - BOOL result = QueryServiceConfig(hService, sc, cbBytesNeeded, &cbBytesNeeded); - CloseServiceHandle(hService); - if (result) { - _tcscpy_s(lpBinaryPathName, dwSize, sc->lpBinaryPathName); - } - free(sc); - return result; -} - BOOL get_svcdllA(LPCSTR lpServiceName, LPSTR lpServiceDll, DWORD dwSize) { CHAR lpSubKey[MAX_PATH + 1]; sprintf_s(lpSubKey, _countof(lpSubKey), "SYSTEM\\CurrentControlSet\\services\\%s\\Parameters", lpServiceName); @@ -61,6 +43,7 @@ BOOL get_svcpid(SC_HANDLE hSCManager, LPCTSTR lpServiceName, DWORD *lpdwProcessI && lpBuffer.dwProcessId) { *lpdwProcessId = lpBuffer.dwProcessId; + _tdbgprintf(_T("Got pid for service %s: %d."), lpServiceName, *lpdwProcessId); result = TRUE; } CloseServiceHandle(hService); @@ -88,6 +71,7 @@ BOOL get_svcgname(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpGroupNam if (!_tcsicmp(*(p++), _T("-k"))) { _tcscpy_s(lpGroupName, dwSize, *p); result = TRUE; + _tdbgprintf(_T("Got group name of service %s: %s."), lpServiceName, lpGroupName); break; } } @@ -95,6 +79,24 @@ BOOL get_svcgname(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpGroupNam return result; } +BOOL get_svcpath(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpBinaryPathName, SIZE_T dwSize) { + HANDLE hService = OpenService(hSCManager, lpServiceName, SERVICE_QUERY_CONFIG); + if (!hService) { + return FALSE; + } + + DWORD cbBytesNeeded; + QueryServiceConfig(hService, NULL, 0, &cbBytesNeeded); + LPQUERY_SERVICE_CONFIG sc = malloc(cbBytesNeeded); + BOOL result = QueryServiceConfig(hService, sc, cbBytesNeeded, &cbBytesNeeded); + CloseServiceHandle(hService); + if (result) { + _tcscpy_s(lpBinaryPathName, dwSize, sc->lpBinaryPathName); + } + free(sc); + return result; +} + BOOL get_svcgpid(SC_HANDLE hSCManager, LPTSTR lpServiceGroupName, DWORD *lpdwProcessId) { DWORD uBytes = 0x100000; LPBYTE pvData = malloc(uBytes); @@ -112,6 +114,7 @@ BOOL get_svcgpid(SC_HANDLE hSCManager, LPTSTR lpServiceGroupName, DWORD *lpdwPro } if (result) { *lpdwProcessId = dwProcessId; + _tdbgprintf(_T("Got pid for service group %s: %d."), lpServiceGroupName, *lpdwProcessId); break; } } diff --git a/wufuc/service.h b/wufuc/service.h index bb3d439..447e5fe 100644 --- a/wufuc/service.h +++ b/wufuc/service.h @@ -1,6 +1,5 @@ #pragma once -BOOL get_svcpath(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpBinaryPathName, SIZE_T dwSize); BOOL get_svcdllA(LPCSTR lpServiceName, LPSTR lpServiceDll, DWORD dwSize); @@ -10,4 +9,6 @@ BOOL get_svcpid(SC_HANDLE hSCManager, LPCTSTR lpServiceName, DWORD *lpdwProcessI BOOL get_svcgname(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpGroupName, SIZE_T dwSize); +BOOL get_svcpath(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpBinaryPathName, SIZE_T dwSize); + BOOL get_svcgpid(SC_HANDLE hSCManager, LPTSTR lpServiceGroupName, DWORD *lpdwProcessId); diff --git a/wufuc/util.c b/wufuc/util.c index 6a5c858..674eb7e 100644 --- a/wufuc/util.c +++ b/wufuc/util.c @@ -17,7 +17,7 @@ VOID DetourIAT(HMODULE hModule, LPSTR lpFuncName, LPVOID *lpOldAddress, LPVOID l if (lpOldAddress) { *lpOldAddress = *lpAddress; } - _dbgprintf("%s %p => %p", lpFuncName, *lpAddress, lpNewAddress); + _dbgprintf("Detoured %s from %p to %p.", lpFuncName, *lpAddress, lpNewAddress); *lpAddress = lpNewAddress; VirtualProtect(lpAddress, sizeof(LPVOID), flOldProtect, &flNewProtect); } @@ -97,7 +97,7 @@ BOOL InjectLibrary(DWORD dwProcessId, LPCTSTR lpLibFileName, DWORD cb) { } } while (Module32Next(hSnap, &me)); CloseHandle(hSnap); - _tdbgprintf(_T("Injecting %s into process %d"), lpLibFileName, dwProcessId); + HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(me.hModule, _CRT_STRINGIZE(LoadLibrary)), lpBaseAddress, 0, NULL); CloseHandle(hThread); CloseHandle(hProcess);